See matching posts in thread - I have run into a bit of an issue with adding ta...
Description: Query looks for any command lines using net.exe to check admin accounts, groups and the like. This is normally the initial activity post intruder gains access to any host in the client’s environment. It's in cyber security team's interest to know who is executing these commands to learn the environment to further spread laterally. Cyber security team will need to know this information on which users are trying to execute those commands for possible compromise of that user account in case it was not admin user and or the user didn't actually execute from the known host. Supporting Link: Threat: Query is looking for usage of net.exe or net1.exe command to view domain admins, groups and the like to spread laterally False Positives : Nil but there could be legit admin usage Recommended Score: Number (1-100) 99 Query (example): (process name:net.exe OR process name:net1.exe) AND (cmdline:"group /domain \"Domain Admins\"" OR cmdline:"group /domain \"Enterprise Admins\"" OR cmdline:"group /domain \"Enterprise Administrators\"" OR cmdline:"group /domain \"Domain Administrators\"" OR cmdline:"view /domain" OR cmdline:"localgroup /domain \"Administrators\"" OR cmdline:"localgroup /domain \"Account Operators\"") URL Query (example) : cb.urlver=1&q=((process name%3Anet.exe%20OR%20process name%3Anet1.exe)%20AND%20(cmdline%3A%22group%20%2Fdomain%20%5C%22Domain%20Admins%5C%22%22%20OR%20cmdline%3A%22group%20%2Fdomain%20%5C%22Enterprise%20Admins%5C%22%22%20OR%20cmdline%3A%22group%20%2Fdomain%20%5C%22Enterprise%20Administrators%5C%22%22%20OR%20cmdline%3A%22group%20%2Fdomain%20%5C%22Domain%20Administrators%5C%22%22%20OR%20cmdline%3A%22view%20%2Fdomain%22%20OR%20cmdline%3A%22localgroup%20%2Fdomain%20%5C%22Administrators%5C%22%22%20OR%20cmdline%3A%22localgroup%20%2Fdomain%20%5C%22Account%20Operators%5C%22%22))&sort=&rows=10&start=0 Be sure to set the correct Category below and add Tags that are appropriate
3 Comments - I am getting an error with the query syntax and I am unsure how to adjust the above query to fit into Response 6, has anyone adjusted this?
\pipe\") OR (filemod:*\appdata\local\temp\*.dll AND netconn count:[1 TO *] AND -digsig result:"Signed")) URL Query (example) : cb.urlver=1&q=((cmdline%3A%22%2Fc%20echo%22%20AND%20cmdline%3A%22%5C%5C.%5Cpipe%5C%22)%20OR%20(filemod%3A*%5Cappdata%5Clocal%5Ctemp%5C*.dll%20AND%20netconn count%3A%5B1%20TO%20*%5D%20AND%20-digsig result%3A%22Signed%22))&sort=&rows=10&start=0&shared=true Cb Process Tree (attach CB Art here if you have it) (example) : Be sure to set the correct Category below and add Tags that are appropriate
Hi Alessandro, The best place to look is on the Support Site at the Knowledge articles. https://support.broadcom.com/web/ecx/search?searchString=&activeType=server knowledge article&from=0&sortby=post time&orderBy=desc&pageNo=1&aggregations=%5B%7B%22type%22%3A%22 index%22%2C%22filter%22%3A%5B%22server knowledge article%22%5D%7D%2C%7B%22type%22%3A%22productname%22%2C%22filter%22%3A%5B%22CA+Client+Automation%22%5D%7D%5D&uid=d042dbba-f8c4-11ea-beba-0242ac12000b&resultsPerPage=10&exactPhrase=&withOneOrMore=&withoutTheWords=&pageSize=10&language=en&state=2&suCaseCreate=false For example if you search for Reaper Thread one example is: https://knowledge.broadcom.com/external/article?
Recommended Score: Number (1-100) 100 Query (example): cmdline:"-accepteula" AND cmdline:"-c" AND (cmdline:"-d" OR cmdline:"-s") URL Query (example) : cb.urlver=1&q=(cmdline%3A%22-accepteula%22%20AND%20cmdline%3A%22-c%22%20AND%20(cmdline%3A%22-d%22%20OR%20cmdline%3A%22-s%22)) Cb Process Tree (attach CB Art here if you have it) (example) : N/A #CbResponse
5 Comments - Note that you could also add internal name:psexec.exe to my original query
Based on data from IR partners and our SEs, we're expanding the search parameters for three of our queries: Advanced Threats Powershell executed with encoded instructions Current query: cb.urlver=1&q=(process name%3Apowershell.exe%20AND%20(cmdline%3A-enc%20OR%20cmdline%3A-encodedcommand))&cb.q.os type=(os type%3A%22windows%22) Human readable: process name:powershell.exe AND (cmdline:-enc OR cmdline:-encodedcommand) Updated query: cb.urlver=1&q=((cmdline%3A-e%20OR%20cmdline%3A-enc%20OR%20cmdline%3A-encode%20OR%20cmdline%3A-encoded%20OR%20cmdline%3A-encodedcommand)%20and%20powershell.exe)&cb.q.os type=(os type%3A%22windows%22) Human readable: ( cmdline:-e OR cmdline:-enc OR cmdline:-encode OR cmdline:-encoded OR cmdline:-encodedcommand) and powershell.exe Community Powershell Downloading File From URL Current query: cb.urlver=1&q=(cmdline%3Anet.webclient%5C).downloadstring%5C(http%3A%20process name%3Apowershell.exe)&cb.q.os type=(os type%3A%22windows%22) Human readable: cmdline:net.webclient\).downloadstring\(http: process name:powershell.exe Updated query: cb.urlver=1&q=((cmdline%3Anet.webclient%5C).downloadstring%5C(http%3A%20OR%20cmdline%3Anet.webclient%5C).downloadstring%5C(https%3A)%20process name%3Apowershell.exe)&cb.q.os type=(os type%3A%22windows%22) Human readable: (cmdline:net.webclient\).downloadstring\(http: OR cmdline:net.webclient\).downloadstring\(https: ) process name:powershell.exe Powershell Executing Hidden, Encoded Commands Current query: cb.urlver=1&q=(((cmdline%3A-encodedcommand%20OR%20cmdline%3A-enc)%20AND%20cmdline%3Ahidden))%20and%20process name%3Apowershell.exe)&cb.q.os type=(os type%3A%22windows%22) Human readable: ((cmdline:-encodedcommand OR cmdline:-enc) AND cmdline:hidden)) and process name:powershell.exe Updated query: cb.urlver=1&q=(((cmdline%3A-e%20OR%20cmdline%3A-enc%20OR%20cmdline%3A-encode%20OR%20cmdline%3A-encoded%20OR%20cmdline%3A-encodedcommand)%20AND%20cmdline%3Ahidden%20)and%20process name%3Apowershell.exe)&cb.q.os type=(os type%3A%22windows%22) Human readable: (( cmdline:-e OR cmdline:-enc OR cmdline:-encode OR cmdline:-encoded OR cmdline:-encodedcommand) AND cmdline:hidden) and process name:powershell.exe Thanks to , and for helping us stay on top of attackers' latest tricks!
Description: Identify MsiExec.exe being used to download an *.msi installer from the Internet. Supporting Link: Fun with Windows binaries – application whitelist bypass using msiexec – Nettitude Labs Threat: MsiExec.exe is a trusted executable, and can be used to download an installer from the Internet. Depending on the policies in place on your endpoints, this method may allow for an adversary to bypass application white-listing configurations. False Positives : Low Recommended Score: Number (1-100) 75 Query: process name:msiexec.exe cmdline:"/i" (cmdline:"http:" OR cmdline:"https:") URL Query: cb.urlver=1&q=(process name%3Amsiexec.exe%20cmdline%3A%22%2Fi%22%20(cmdline%3A%22http%3A%22%20OR%20cmdline%3A%22https%3A%22))
3 Comments - Yeah, that other article referencing this seems like a weird one to me. To the best of my awareness, MSIEXEC won't accept -i or -I as a parameter, so I am thinking the actual command would have failed out. It seem like this attacker made a typo. Which leads me on to thinking that, if we were to put typos into Watchlists, that is less about covering a technique, and more about a specific indicator (of the specific attacker who seems to have made a specific typo). I think I'd want it in some kind of "specific indicators" list as opposed to technique coverage
Supporting Link: GitHub - giMini/PowerMemory: Exploit the credentials present in files and memory Threat: This query is specific to PowerMemory, and works by looking for fragments of PowerShell command lines. PowerMemory attempts to recover credentials from memory
Advanced Threats Proxy Modifications By Shell/Script Process Query: cb.urlver=1&q=(regmod%3Aautoconfigurl%20and%20regmod%3Awpadnetworkname%20and%20regmod%3Aproxyenable%20and%20(process name%3Awscript.exe%20or%20process name%3Apowershell.exe%20or%20process name%3Acmd.exe%20or%20process name%3Acscript.exe))&cb.q.os type=(os type%3A%22windows%22) Human readable: regmod:autoconfigurl and regmod:wpadnetworkname and regmod:proxyenable and (process name:wscript.exe or process name:powershell.exe or process name:cmd.exe or process name:cscript.exe) Retefe Child Processes Query: cb.urlver=1&q=(childproc name%3Ataskkill.exe%20childproc name%3Acertutil.exe%20childproc name%3Apowershell.exe)&cb.q.os type=(os type%3A%22windows%22) Human readable: childproc name:taskkill.exe childproc name:certutil.exe childproc name:powershell.exe Community Office Test Special Perf Regmod for Persistence Query: cb.urlver=1&q=regmod%3A%22Software%5CMicrosoft%5COffice%20test%5Cspecial%5Cperf%22 Human readable: regmod:"Software\Microsoft\Office test\special\perf" MSCFile Regmod for UAC bypass Query: cb.urlver=1&q=regmod%3A%22mscfile%5Cshell%5Copen%5Ccommand%22 Human readable: regmod:"mscfile\shell\open\command" Hancitor Suspicious Process Name Query: cb.urlver=1&q=process name%3AWinHost32.exe&cb.q.os type=(os type%3A%22windows%22) Human readable: process name:WinHost32.exe Suspicious Indicators Root Cert Added by Script/Shell Query: cb.urlver=1&q=(cmdline%3A%22-addstore%22%20cmdline%3A%5C%22ROOT%5C%22%20process name%3Acertutil.exe%20(parent name%3Awscript.exe%20or%20parent name%3Apowershell.exe%20or%20parent name%3Acmd.exe%20or%20parent name%3Acscript.exe))&cb.q.os type=(os type%3A%22windows%22) Human readable: cmdline:"-addstore" cmdline:\"ROOT\" process name:certutil.exe (parent name:wscript.exe or parent name:powershell.exe or parent name:cmd.exe or parent name:cscript.exe)
False Positives : None observed Recommended Score :100 Query : (regmod:software\microsoft\windows\currentversion\run\* OR regmod:"software\microsoft\windows nt\currentversion\winlogon\userinit") AND (regmod:"software\microsoft\security center\uacdisablenotify" OR regmod:"software\microsoft\security center\updatesdisablenotify" OR regmod:"software\microsoft\security center\firewalldisablenotiy" OR regmod:"software\microsoft\security center\firewalloverride" OR regmod:"software\microsoft\security center\antivirusdisablenotify" OR regmod:"software\microsoft\security center\antivirusoverride") URL Query : cb.urlver=1&q=((regmod%3Asoftware%5Cmicrosoft%5Cwindows%5Ccurrentversion%5Crun%5C*%20OR%20regmod%3A%22software%5Cmicrosoft%5Cwindows%20nt%5Ccurrentversion%5Cwinlogon%5Cuserinit%22)%20AND%20(regmod%3A%22software%5Cmicrosoft%5Csecurity%20center%5Cuacdisablenotify%22%20OR%20regmod%3A%22software%5Cmicrosoft%5Csecurity%20center%5Cupdatesdisablenotify%22%20OR%20regmod%3A%22software%5Cmicrosoft%5Csecurity%20center%5Cfirewalldisablenotiy%22%20OR%20regmod%3A%22software%5Cmicrosoft%5Csecurity%20center%5Cfirewalloverride%22%20OR%20regmod%3A%22software%5Cmicrosoft%5Csecurity%20center%5Cantivirusdisablenotify%22%20OR%20regmod%3A%22software%5Cmicrosoft%5Csecurity%20center%5Cantivirusoverride%22)) #CbResponse
7 Comments - You may have to "ignore" the original report in the feed to stop the alerts. On the "Threat Reports" page for the Community feed: Flip the "no" to a "yes" to stop it alerting entirely